Splunk Enterprise

Help to make my apps CIM compliant

jip31
Motivator

Hi

I have developped a dashbord relative to firewall metrics.

I need to make my dashboard CIM compliant 

Do i need my searches linked to the firewall datamodel with the firewall tstats datamodel (tstats where datamodel=....) or do i just need to create tags and eventtypes following the firewall datamodel ? I understand anything so is someone can d'escrime clearly all the steps for having my apps CIM compliant ?

Thanks

 

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

No. First step to answering your question is understanding what datamodel is. It is a middle layer abstracting the actual data structure from your search.

This way if you want to do a search across your network devices you don't have to know specific technical details about the sources or even in which indexes the details are stored (CIM configuration takes care of that). You're just doing a search on a datamodel. For example

| tstats sum(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.src_ip=172.16.* by All_Traffic.src_ip

will give you amount of traffic per source IP from a specific network. It doesn't care where the actual data comes from - this is the beauty of the datamodel. As long as your sources are properly onboarded and CIM-compliant it doesn't matter if the data comes from Juniper, Palo Alto, Cisco or Fortigate. Datamodel abstracts this from your search.

But in order for this to work properly as I mentioned you must have properly onboarded data - you must have proper addons making sure the data is properly normalized and provides standardized fields (even if the fields are named differently in the original event). This is done by means of field aliases and calculated fields.

So you don't typically use term "CIM-compliance" talking about searching/dashboards. When searching you're not "compliant". You simply use the datamodel. It's the underlying data that must be CIM-compliant so your searches against datamodels work properly.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

Your question is not clear.

If you want to make your ingested data CIM-compliant you should do as @marnall says - create tags, make sure your fields are either CIM-conformant or create calculated fields and aliases to make them CIM-conformant.

But as you're speaking about dashboards - if you want to use datamodels, just do that - search or do tstats over datamodels, not raw data. And use those searches to power your dashboard panels.

0 Karma

marnall
Motivator

To make your app CIM-compliant, you should do the following:

1. Use EventTypes to apply the tags to the events so they end up in the correct data model. E.g. tag "network" and "communicate" to put it in the NetworkTraffic data model.

2. Add field extractions, calculated fields, lookups, etc, to get values for the fields listed in the CIM model. The vladiator app is useful for this purpose: https://splunkbase.splunk.com/app/2968

Ref: https://docs.splunk.com/Documentation/CIM/5.3.2/User/NetworkTraffic

0 Karma

jip31
Motivator

not sure to understand

when you say "1. Use EventTypes to apply the tags to the events so they end up in the correct data model. E.g. tag "network" and "communicate" to put it in the NetworkTraffic data model."

imagine that my searc is index=main uri="*.php*" OR uri="*.py*"

Do you meant that i have to onboard this in a tag called "network"?

And if i have a field called "ip" in my apps does it mean i have to tag it as "dest_ip" following the Network Traffic datamodel?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No. First step to answering your question is understanding what datamodel is. It is a middle layer abstracting the actual data structure from your search.

This way if you want to do a search across your network devices you don't have to know specific technical details about the sources or even in which indexes the details are stored (CIM configuration takes care of that). You're just doing a search on a datamodel. For example

| tstats sum(All_Traffic.bytes) from datamodel=Network_Traffic where All_Traffic.src_ip=172.16.* by All_Traffic.src_ip

will give you amount of traffic per source IP from a specific network. It doesn't care where the actual data comes from - this is the beauty of the datamodel. As long as your sources are properly onboarded and CIM-compliant it doesn't matter if the data comes from Juniper, Palo Alto, Cisco or Fortigate. Datamodel abstracts this from your search.

But in order for this to work properly as I mentioned you must have properly onboarded data - you must have proper addons making sure the data is properly normalized and provides standardized fields (even if the fields are named differently in the original event). This is done by means of field aliases and calculated fields.

So you don't typically use term "CIM-compliance" talking about searching/dashboards. When searching you're not "compliant". You simply use the datamodel. It's the underlying data that must be CIM-compliant so your searches against datamodels work properly.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...